Hundreds of thousands of websites are currently at risk due to vulnerabilities identified in two popular WordPress plugins, Kirki and Burst Statistics. Security experts at Defiant have raised alarms about these flaws, which could allow attackers to exploit sites using these plugins.
Kirki Plugin Security Flaw
Kirki, known for enhancing WordPress customization and page creation, has been flagged for a critical vulnerability affecting its versions 6.0.0 to 6.0.6. This flaw, tracked as CVE-2026-8206 with a severity score of 9.8, compromises the password reset mechanism. Attackers can manipulate this feature by providing a username and a fabricated email address, receiving a password reset key at the attacker-controlled email.
This security lapse permits attackers to reset the password of a high-privilege account, potentially taking over the entire WordPress site. It highlights a significant risk to site administrators who have not yet updated to the latest plugin version.
Burst Statistics Vulnerability
Burst Statistics, a tool offering analytics insights for WordPress users, is also under scrutiny. Versions 3.4.0 to 3.4.1.1 suffer from an authentication bypass vulnerability. This issue allows unauthorized users to elevate their privileges and assume administrator rights on a compromised site.
The vulnerability arises from a flaw in the validation of application passwords, enabling attackers to exploit the REST API and temporarily impersonate an administrator. The implications include unauthorized access to critical administrative functions, such as creating new admin accounts.
Preventive Measures and Recommendations
Defiant reports blocking thousands of attack attempts targeting these vulnerabilities in just 24 hours. They caution that a significant number of sites remain vulnerable, with Kirki installed on over 500,000 sites and Burst Statistics on more than 200,000.
To safeguard against these threats, users are strongly advised to update their plugins. The latest secure versions are Kirki 6.0.7 and Burst Statistics 3.4.2. These updates contain patches that address the security concerns identified.
In conclusion, staying vigilant and ensuring plugins are updated promptly is crucial in maintaining website security. As cyber threats evolve, proactive measures are essential to protect digital assets from exploitation.
